Dynamic Analysis of Embedded Software

abstract: Most embedded applications are constructed with multiple threads to handle concurrent events. For optimization and debugging of the programs, dynamic program analysis is widely used to collect execution information while the program is running. Unfortunately, the non-deterministic behavior of multithreaded embedded software makes the dynamic analysis difficult. In addition, instrumentation overhead for gathering execution information may change the execution of a program, and lead to distorted analysis results, i.e., probe effect. This thesis presents a framework that tackles the non-determinism and probe effect incurred in dynamic analysis of embedded software. The thesis largely consists of three parts. First of all, we discusses a deterministic replay framework to provide reproducible execution. Once a program execution is recorded, software instrumentation can be safely applied during replay without probe effect. Second, a discussion of probe effect is presented and a simulation-based analysis is proposed to detect execution changes of a program caused by instrumentation overhead. The simulation-based analysis examines if the recording instrumentation changes the original program execution. Lastly, the thesis discusses data race detection algorithms that help to remove data races for correctness of the replay and the simulation-based analysis. The focus is to make the detection efficient for C/C++ programs, and to increase scalability of the detection on multi-core machines.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Doctor of Philosophy

dissertationA modern software system is a composition of parts that are themselves highly complex: operating systems, middleware, libraries, servers, and so on. In principle, compositionality of interfaces means that we can understand any given module independently of the internal workings of other parts. In practice, however, abstractions are leaky, and with every generation, modern software systems grow in complexity. Traditional ways of understanding failures, explaining anomalous executions, and analyzing performance are reaching their limits in the face of emergent behavior, unrepeatability, cross-component execution, software aging, and adversarial changes to the system at run time. Deterministic systems analysis has a potential to change the way we analyze and debug software systems. Recorded once, the execution of the system becomes an independent artifact, which can be analyzed offline. The availability of the complete system state, the guaranteed behavior of re-execution, and the absence of limitations on the run-time complexity of analysis collectively enable the deep, iterative, and automatic exploration of the dynamic properties of the system. This work creates a foundation for making deterministic replay a ubiquitous system analysis tool. It defines design and engineering principles for building fast and practical replay machines capable of capturing complete execution of the entire operating system with an overhead of several percents, on a realistic workload, and with minimal installation costs. To enable an intuitive interface of constructing replay analysis tools, this work implements a powerful virtual machine introspection layer that enables an analysis algorithm to be programmed against the state of the recorded system through familiar terms of source-level variable and type names. To support performance analysis, the replay engine provides a faithful performance model of the original execution during replay

Cutting Through the Complexity of Reverse Engineering Embedded Devices

Performing security analysis of embedded devices is a challenging task. They present many difficulties not usually found when analyzing commodity systems: undocumented peripherals, esoteric instruction sets, and limited tool support. Thus, a significant amount of reverse engineering is almost always required to analyze such devices. In this paper, we present Incision, an architecture and operating-system agnostic reverse engineering framework. Incision tackles the problem of reducing the upfront effort to analyze complex end-user devices. It combines static and dynamic analyses in a feedback loop, enabling information from each to be used in tandem to improve our overall understanding of the firmware analyzed. We use Incision to analyze a variety of devices and firmware. Our evaluation spans firmware based on three RTOSes, an automotive ECU, and a 4G/LTE baseband. We demonstrate that Incision does not introduce significant complexity to the standard reverse engineering process and requires little manual effort to use. Moreover, its analyses produce correct results with high confidence and are robust across different OSes and ISAs

ESAS Deliverable PS 1.1.2.3: Customer Survey on Code Generations in Safety-Critical Applications

Automated code generators (ACG) are tools that convert a (higher-level) model of a software (sub-)system into executable code without the necessity for a developer to actually implement the code. Although both commercially supported and in-house tools have been used in many industrial applications, little data exists on how these tools are used in safety-critical domains (e.g., spacecraft, aircraft, automotive, nuclear). The aims of the survey, therefore, were threefold: 1) to determine if code generation is primarily used as a tool for prototyping, including design exploration and simulation, or for fiight/production code; 2) to determine the verification issues with code generators relating, in particular, to qualification and certification in safety-critical domains; and 3) to determine perceived gaps in functionality of existing tools

Optimising the NAOMI adaptive optics real-time control system

This thesis describes the author's research in the field of Real-Time Control (RTC) for Adaptive Optics (AO) instrumentation. The research encompasses experiences and knowledge gained working in the area of RTC on astronomical instrumentation projects whilst at the Optical Science Laboratories (OSL), University College London (UCL), the Isaac Newton Groups of Telescopes (ING) and the Centre for Advanced Instrumentation (СfAI), Durham University. It begins by providing an extensive introduction to the field of Astronomical Adaptive Optics covering Image Correction Theory, Atmospheric Theory, Control Theory and Adaptive Optics Component Theory. The following chapter contains a review of the current state of world wide AO instruments and facilities. The Nasmyth Adaptive Optics Multi-purpose Instrument (NAOMI), the common user AO facility at the 4.2 William Herschel Telescope (WHT), is subsequently described. Results of NAOMI component characterisation experiments are detailed to provide a system understanding of the improvement optimisation could offer. The final chapter investigates how upgrading the RTCS could increase NAOMI'S spatial and temporal performance and examines the RTCS in the context of Extremely Large Telescope (ELT) class telescopes

Development and Testing of a Vehicle Management System for Autonomous Spacecraft Habitat Operations

As the increased distance between Earth-based mission control and the spacecraft results in increasing communication delays, small crews cannot take on all functions performed by ground today, and so vehicles must be more automated to reduce the crew workload for such missions. In addition, both near-term and future missions will feature significant periods when crew is not present, meaning the vehicles will need to operate themselves autonomously. NASA's Advanced Exploration Systems Program pioneers new approaches for rapidly developing prototype systems, demonstrating key capabilities, and validating operational concepts for future human missions beyond low-Earth orbit. Under this program, NASA has developed and demonstrated multiple technologies to enable the autonomous operation of a dormant space habitat. These technologies included a fault-tolerant avionics architecture, novel spacecraft power system and power system controller, and autonomy software to control the habitat. The demonstration involved simulation of the habitat and multiple spacecraft sub-systems (power storage and distribution, avionics, and air-side life-support) during a multi-day test at NASA's Johnson Space Center. The foundation of the demonstration was quiescent operations' of a habitat during a 55 minute eclipse period. For this demonstration, the spacecraft power distribution system and air-side life support system were simulated at a high level of fidelity; additional systems were managed, but with lower fidelity operational constraints and system behavior. Operational constraints for real and simulated loads were developed by analyzing on-orbit hardware and evaluating future Exploration capable technology. A total of 13 real and simulated loads were used during the test. Eight scenarios including both nominal and off-nominal conditions were performed. Over the course of the test, every application performed its desired functions successfully during the simulated tests. The results will inform both future tests, as well as provide insight to NASA's domestic and international partners, as they construct the next generation of space habitats to be used on beyond-Earth missions

Techniques for Detection, Root Cause Diagnosis, and Classification of In-Production Concurrency Bugs

Concurrency bugs are at the heart of some of the worst bugs that plague software. Concurrency bugs slow down software development because it can take weeks or even months before developers can identify and fix them. In-production detection, root cause diagnosis, and classification of concurrency bugs is challenging. This is because these activities require heavyweight analyses such as exploring program paths and determining failing program inputs and schedules, all of which are not suited for software running in production. This dissertation develops practical techniques for the detection, root cause diagnosis, and classification of concurrency bugs for inproduction software. Furthermore, we develop ways for developers to better reason about concurrent programs. This dissertation builds upon the following principles: — The approach in this dissertation spans multiple layers of the system stack, because concurrency spans many layers of the system stack. — It performs most of the heavyweight analyses in-house and resorts to minimal in-production analysis in order to move the heavy lifting to where it is least disruptive. — It eschews custom hardware solutions that may be infeasible to implement in the real world. Relying on the aforementioned principles, this dissertation introduces: 1. Techniques to automatically detect concurrency bugs (data races and atomicity violations) in-production by combining in-house static analysis and in-production dynamic analysis. 2. A technique to automatically identify the root causes of in-production failures, with a particular emphasis on failures caused by concurrency bugs. 3. A technique that given a data race, automatically classifies it based on its potential consequence, allowing developers to answer questions such as “can the data race cause a crash or a hang?”, or “does the data race have any observable effect?”. We build a toolchain that implements all the aforementioned techniques. We show that the tools we develop in this dissertation are effective, incur low runtime performance overhead, and have high accuracy and precision

Dyretiva: um método para a verificação das restrições temporais em sistemas embarcados

The Dyretiva is a method used for verifying the time constraints of embedded realtime systems. The verification is performed by monitoring the embedded software when it is running in an embedded hardware. The Dyretiva method takes into account the resource constrained nature of embedded systems and the time bounded nature of real-time systems. The method is comprised by a monitoring approach and a fault model. The monitoring approach defines the physical and the logical interfaces used in the observation of the system under test, as well as the strategies used for an optimized trace data collection. The fault model identifies relationships and components of the system under test that are most likely to have time faults. To demonstrate Dyretiva concepts, a set of support tools called SoftScope has been developed. SoftScope is comprised of a source code pre-instrumentation tool, a source code instrumentation tool, a hybrid monitor, a program for controlling the hybrid monitor, programs for filtering and analyzing trace data, and a graphical presentation tool. The Dyretiva method and the SoftScope tool set are an integral part of the work-inprogress PERF project, which is under development in the LIT (Laboratory of Embedded Systems Innovation and Technology), at the UTFPR (Federal Technological University of Paraná State). The objective of the PERF project is to build a complete environment suitable for the development of embedded and real-time systems.O Dyretiva é um método desenvolvido para utilização na fase de testes de sistemas embarcados operando em tempo real e, em especial, na verificação das restrições temporais do sistema. Como a fase de testes situa-se no final do processo de desenvolvimento, quando o hardware está disponível e o software codificado, a verificação temporal é feita por meio de monitoração do sistema sob teste. As principais premissas do Dyretiva são considerar a limitação de recursos dos sistemas embarcados e as características intrínsecas dos sistemas em tempo real. O método é definido por uma abordagem de monitoração e por um modelo de falta. A abordagem de monitoração define a interface física e lógica necessárias para observar o sistema sob teste, bem como as estratégias de utilização que permitem otimizar a coleta de dados. O modelo de falta identifica as relações e componentes do sistema onde existe maior probabilidade de encontrar os erros procurados. Para demonstrar os conceitos do Dyretiva, um conjunto de ferramentas de apoio a aplicação do método foi construído. Este conjunto, chamado de SoftScope, é composto por seis ferramentas: um pré-instrumentador de código, um instrumentador de código, um monitor, um programa de controle do monitor, programas para filtragem e análise dos dados capturados e um programa de visualização dos resultados. O Dyretiva e o SoftScope são parte integrante do projeto PERF, que está em andamento no LIT (Laboratório de Inovação e Tecnologia em Sistemas Embarcados) da UTFPR (Universidade Tecnológica Federal do Paraná), cujo objetivo é construir um ambiente completo para o desenvolvimento de sistemas embarcados operando em tempo real

Using embedded hardware monitor cores in critical computer systems

The integration of FPGA devices in many different architectures and services makes monitoring and real time detection of errors an important concern in FPGA system design. A monitor is a tool, or a set of tools, that facilitate analytic measurements in observing a given system. The goal of these observations is usually the performance analysis and optimisation, or the surveillance of the system. However, System-on-Chip (SoC) based designs leave few points to attach external tools such as logic analysers. Thus, an embedded error detection core that allows observation of critical system nodes (such as processor cores and buses) should enforce the operation of the FPGA-based system, in order to prevent system failures. The core should not interfere with system performance and must ensure timely detection of errors. This thesis is an investigation onto how a robust hardware-monitoring module can be efficiently integrated in a target PCI board (with FPGA-based application processing features) which is part of a critical computing system. [Continues.

Android Application Development for the Intel Platform

Computer scienc